Server Authentication with Certificates
Server authentication is performed using the Diffie-Hellman key
exchange. This is what happens when certificates are used:
- The server sends its certificate (which includes its public key)
to the client. The packet also contains random data unique to the
session and signed by the server's private key.
- As the server certificate is signed with the private key
of a certification authority (CA), the client can verify the
validity of the server certificate by using the CA certificate.
- The client checks that the certificate contains the fully
qualified domain name of the server. (This check can be disabled by
Cert.EndpointIdentityCheck option in the client
configuration file to
- The client verifies that the server has a valid private
key by checking the signature in the initial packet.
When certificates are used, a man-in-the-middle attack is no
longer a threat during key exchange, because the system checks that
the server certificate has been issued by a trusted CA.
During authentication the system checks that the certificate has
not been revoked. This can be done either by using the Online
Certificate Status Protocol (OCSP) or a Certificate Revocation
List (CRL), which can be published either in an LDAP or HTTP repository.
OCSP is automatically used if the certificate contains a valid
Authority Info Access extension. Correspondingly, CRLs are
automatically used if the certificate contains a valid CRL
Distribution Point extension. If LDAP is used as the CRL publishing
method, the LDAP repository location can also be defined in the
file (see below).